https://redmine.openinfosecfoundation.org/
https://redmine.openinfosecfoundation.org/favicon.ico?1701117002
2019-11-05T10:52:05Z
Open Information Security Foundation
Suricata - Feature #3297: more verbose dcerpc logging
https://redmine.openinfosecfoundation.org/issues/3297?journal_id=14484
2019-11-05T10:52:05Z
Victor Julien
victor@inliniac.net
<ul><li><strong>Parent task</strong> deleted (<del><i>#3288</i></del>)</li></ul>
Suricata - Feature #3297: more verbose dcerpc logging
https://redmine.openinfosecfoundation.org/issues/3297?journal_id=14486
2019-11-05T10:52:10Z
Victor Julien
victor@inliniac.net
<ul><li><strong>Related to</strong> <i><a class="issue tracker-5 status-2 priority-4 priority-default child" href="/issues/3288">Task #3288</a>: Suricon 2019 brainstorm</i> added</li></ul>
Suricata - Feature #3297: more verbose dcerpc logging
https://redmine.openinfosecfoundation.org/issues/3297?journal_id=14509
2019-11-05T11:08:12Z
Victor Julien
victor@inliniac.net
<ul><li><strong>Related to</strong> <i><a class="issue tracker-4 status-5 priority-5 priority-high3 closed" href="/issues/2779">Optimization #2779</a>: Convert DCE_RPC from C to Rust</i> added</li></ul>
Suricata - Feature #3297: more verbose dcerpc logging
https://redmine.openinfosecfoundation.org/issues/3297?journal_id=14510
2019-11-05T11:08:43Z
Victor Julien
victor@inliniac.net
<ul></ul><p>Currently only the DCERPC over SMB generates output as part of the SMB logging.</p>
Suricata - Feature #3297: more verbose dcerpc logging
https://redmine.openinfosecfoundation.org/issues/3297?journal_id=14631
2019-11-08T21:36:34Z
Jason Taylor
<ul></ul><p>looking at the pcaps I have there is a bit much to sanitize. I emailed the pcaps and logs to Victor. I will gather/organize some more pcap but wanted to get something over in the interim to give an idea of what we are looking for in a parser.</p>
Suricata - Feature #3297: more verbose dcerpc logging
https://redmine.openinfosecfoundation.org/issues/3297?journal_id=15080
2020-01-03T15:07:14Z
Joseph Feather
<ul><li><strong>File</strong> <a href="/attachments/1913">smb-on-windows-10.pcapng</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/1913/smb-on-windows-10.pcapng">smb-on-windows-10.pcapng</a> added</li><li><strong>File</strong> <a href="/attachments/1914">smb.json</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/1914/smb.json">smb.json</a> added</li></ul><p>Suricata dcerpc output doesn't contain the opnum for the procedure call, in this example 15 (NetShareEnum). Full smb log is attached along with the pcap.</p>
<pre><code class="javascript syntaxhl" data-language="javascript"><span class="p">{</span>
<span class="dl">"</span><span class="s2">timestamp</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">2016-10-16T08:16:01.434363+0000</span><span class="dl">"</span><span class="p">,</span>
<span class="dl">"</span><span class="s2">flow_id</span><span class="dl">"</span><span class="p">:</span> <span class="mi">1881918157182233</span><span class="p">,</span>
<span class="dl">"</span><span class="s2">pcap_cnt</span><span class="dl">"</span><span class="p">:</span> <span class="mi">874</span><span class="p">,</span>
<span class="dl">"</span><span class="s2">event_type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">smb</span><span class="dl">"</span><span class="p">,</span>
<span class="dl">"</span><span class="s2">src_ip</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">192.168.199.132</span><span class="dl">"</span><span class="p">,</span>
<span class="dl">"</span><span class="s2">src_port</span><span class="dl">"</span><span class="p">:</span> <span class="mi">49675</span><span class="p">,</span>
<span class="dl">"</span><span class="s2">dest_ip</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">192.168.199.133</span><span class="dl">"</span><span class="p">,</span>
<span class="dl">"</span><span class="s2">dest_port</span><span class="dl">"</span><span class="p">:</span> <span class="mi">445</span><span class="p">,</span>
<span class="dl">"</span><span class="s2">proto</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">TCP</span><span class="dl">"</span><span class="p">,</span>
<span class="dl">"</span><span class="s2">smb</span><span class="dl">"</span><span class="p">:</span> <span class="p">{</span>
<span class="dl">"</span><span class="s2">id</span><span class="dl">"</span><span class="p">:</span> <span class="mi">8</span><span class="p">,</span>
<span class="dl">"</span><span class="s2">dialect</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">3.11</span><span class="dl">"</span><span class="p">,</span>
<span class="dl">"</span><span class="s2">command</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">SMB2_COMMAND_WRITE</span><span class="dl">"</span><span class="p">,</span>
<span class="dl">"</span><span class="s2">status</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">STATUS_SUCCESS</span><span class="dl">"</span><span class="p">,</span>
<span class="dl">"</span><span class="s2">status_code</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">0x0</span><span class="dl">"</span><span class="p">,</span>
<span class="dl">"</span><span class="s2">session_id</span><span class="dl">"</span><span class="p">:</span> <span class="mi">127543348822037</span><span class="p">,</span>
<span class="dl">"</span><span class="s2">tree_id</span><span class="dl">"</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span>
<span class="dl">"</span><span class="s2">dcerpc</span><span class="dl">"</span><span class="p">:</span> <span class="p">{</span>
<span class="dl">"</span><span class="s2">request</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">BIND</span><span class="dl">"</span><span class="p">,</span>
<span class="dl">"</span><span class="s2">response</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">BINDACK</span><span class="dl">"</span><span class="p">,</span>
<span class="dl">"</span><span class="s2">interfaces</span><span class="dl">"</span><span class="p">:</span> <span class="p">[</span>
<span class="p">{</span>
<span class="dl">"</span><span class="s2">uuid</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">4b324fc8-1670-01d3-1278-5a47bf6ee188</span><span class="dl">"</span><span class="p">,</span>
<span class="dl">"</span><span class="s2">version</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">3.0</span><span class="dl">"</span><span class="p">,</span>
<span class="dl">"</span><span class="s2">ack_result</span><span class="dl">"</span><span class="p">:</span> <span class="mi">2</span><span class="p">,</span>
<span class="dl">"</span><span class="s2">ack_reason</span><span class="dl">"</span><span class="p">:</span> <span class="mi">0</span>
<span class="p">},</span>
<span class="p">{</span>
<span class="dl">"</span><span class="s2">uuid</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">4b324fc8-1670-01d3-1278-5a47bf6ee188</span><span class="dl">"</span><span class="p">,</span>
<span class="dl">"</span><span class="s2">version</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">3.0</span><span class="dl">"</span><span class="p">,</span>
<span class="dl">"</span><span class="s2">ack_result</span><span class="dl">"</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span>
<span class="dl">"</span><span class="s2">ack_reason</span><span class="dl">"</span><span class="p">:</span> <span class="mi">0</span>
<span class="p">},</span>
<span class="p">{</span>
<span class="dl">"</span><span class="s2">uuid</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">4b324fc8-1670-01d3-1278-5a47bf6ee188</span><span class="dl">"</span><span class="p">,</span>
<span class="dl">"</span><span class="s2">version</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">3.0</span><span class="dl">"</span><span class="p">,</span>
<span class="dl">"</span><span class="s2">ack_result</span><span class="dl">"</span><span class="p">:</span> <span class="mi">3</span><span class="p">,</span>
<span class="dl">"</span><span class="s2">ack_reason</span><span class="dl">"</span><span class="p">:</span> <span class="mi">0</span>
<span class="p">}</span>
<span class="p">],</span>
<span class="dl">"</span><span class="s2">call_id</span><span class="dl">"</span><span class="p">:</span> <span class="mi">2</span>
<span class="p">}</span>
<span class="p">},</span>
<span class="dl">"</span><span class="s2">host</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">roundrob2_eint</span><span class="dl">"</span>
<span class="p">}</span>
</code></pre>
Suricata - Feature #3297: more verbose dcerpc logging
https://redmine.openinfosecfoundation.org/issues/3297?journal_id=18272
2020-11-09T05:10:16Z
Shivani Bhardwaj
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Closed</i></li><li><strong>Assignee</strong> changed from <i>Jason Taylor</i> to <i>Shivani Bhardwaj</i></li><li><strong>Target version</strong> changed from <i>TBD</i> to <i>6.0.0</i></li></ul><p>Logging has been added to DCERPC now. It does log the opnum for requests now: <a class="external" href="https://github.com/OISF/suricata/pull/5190/commits/9f9670ebdc5ea15ccc35274dd48ca00165dcbe51">https://github.com/OISF/suricata/pull/5190/commits/9f9670ebdc5ea15ccc35274dd48ca00165dcbe51</a><br />s-v test for the same: <a class="external" href="https://github.com/OISF/suricata-verify/tree/master/tests/dcerpc/dce-logging">https://github.com/OISF/suricata-verify/tree/master/tests/dcerpc/dce-logging</a></p>